MINUTES

                             IEEE P1363:
Standard for RSA, Diffie-Hellman, and Related Public-Key Cryptography

                             May 18, 1994
                         Oakland, California

Burt Kaliski opened the meeting at 1:13 pm.  The announced agenda was:

    1. Approval of Minutes from January Meeting
    2. Outline of the Standard
    3. Schedule and Milestones
    4. Work Assignments

Those in attendance are listed in Appendix 1.

The minutes from the January 1994 meeting were distributed, along with
the agenda.  Motions to approve the agenda (Motion 1) and accept the minutes
(Motion 2) passed unanimously.

Some previously distributed documents were made available:

* RSA Labs Public Key Cryptography Standards (PKCS) (Nov. 1993 release)
* ANSI X9.31-1992 part 1 draft (March 1993)
* IEEE Project Authorization Request (PAR) for P1363 (June 1993)
* PKP letter claiming patent coverage of public-key cryptography,
  and promising reasonable licensing for RSA signatures (April, 1990)
* Standard for RSA, Diffie-Hellman and Related Public-Key Cryptography: A
  Project Authorization Request, presentation by Burt Kaliski, May 10, 1993

New documents distributed:

* March 9, 1994 letter from Burt Kaliski to PKP
* March 28, 1994 reply from PKP
* P1363 meeting announcement

Kaliski reported that he sent a letter to Public Key Partners (PKP)
requesting patent licensing terms.  A copy of that March 9, 1994
letter was distributed.

A letter from PKP to Kaliski dated March 28, 1994 was distributed.  It
stated that PKP was negotiating with the federal government over the
DSA, and that there was uncertainty regarding licensing of the DSA at
this time.  The letter was not really responsive to Kaliski's letter.
Kaliski said that he was making an effort to get a more direct
response from PKP.

Kaliski announced that an Internet ftp server had been set up at RSA
Data Security for the working group.  The address is rsa.com and the
directory for documents is /pub/p1363.  Login as anonymous.  There is
also an unmoderated email list, with address p1363@rsa.com.  You can
get on or off the list by sending mail to p1363-request@rsa.com.

The scope of the group's work was reviewed.  It broadly covers
anything to do with "public key", the main areas listed in the PAR being:

        1. key management
        2. authentication
        3. encryption
        4. key generation
        5. microprocessor support

There was a discussion of patent problems.  Schlafly argued that it was
improper to work on a RSA standard when PKP had not agreed to a
reasonable and nondiscriminatory licensing policy, as required by the
IEEE operations manual.  Section 6.3.2 says that PKP must submit a
draft license "prior to any significant drafting of the standard".
Others argued that PKP was likely to produce some sort of letter, so
we should not waste time waiting.

Schlafly also argued that even if PKP offers a patent policy for RSA,
RSA will still not meet the requirements of section 6.3.1 that "There
are no alternative methods or devices that can be used to meet the
requirements of the standard without infringing the patent."  Schlafly
claimed that ElGamal and elliptic curve technologies are viable
patent-free alternatives to RSA.  This was a matter of some dispute,
as PKP has patents with broad claims, and that PKP would assert that
any public key technology is infringing.  Schlafly argued that those
patents expire in three years anyway, so we could ignore them on the
assumption that it will probably be about three years before the IEEE
standard issues.  Most of those present exhibited a strong preference
for RSA, citing market acceptance of RSA.

Our only foreign representative present, Preneel of Belgium, argued
that we should be conscious of doing an international standard, and
RSA is popular in Europe where it is not patented.

Schlafly moved (Motion 3) that we stop work on RSA because of the patent
difficulties.  The motion was rejected, with 1 yes, 9 noes, and 3
abstentions.

Arnold drafted a proposed outline for our standards.  The major
sections were

        1. Introduction
        2. RSA
        3. Diffie-Hellman
        4. Related algorithms
        5. Hardware support
        Appendices

There was some discussion of what should be in the standard, what in
non-binding appendices, and what in annexes which may or may not be
binding.  Nothing definite was decided.

Schlafly raised the issue of whether we are obligated to include RSA,
or whether we can use another public key technology instead.  Arnold
argued that we were, because we should be interoperable with a de
facto RSA standard.  Kaliski said we could abandon RSA even though
RSA was in our title.  A couple of members indicated that RSA was
their main interest in working group participation.

Motion 4 was passed unanimously to hold the next meeting during the
Crypto '94 conference in Santa Barbara the week of August 22.  No
precise date was set, but it will likely be either the afternoon of
Tuesday Aug. 23 or Thursday Aug. 25.

A number of suggested additions to the outline were made.  We added a
section on random and pseudorandom numbers.  Some thought we should
have a section on password handling or pass phrase protection of a
secret key, although this is near the boundary of our scope.  It was
agreed that we ought to try to avoid user-related issues.  Some
favored a validation suite, but we'll probably just do a set of test
vectors.  The possibility of specifying an application program
interface (API) was mentioned, but is not a priority.  Several people
thought sections offering rationales for decisions, as done in some
other standards, was a good idea.

Someone mentioned possibly adding stuff on zero knowledge and blind
signatures if we get ambitious.

Kaliski suggesting organizing the material so that the algorithm
specification is separate from that of the services they provide.
Others thought this was premature, and that we could try it once we
have something in writing.

Motion 5 to accept the outline, as amended, passed unanimously.
The outline is in Appendix 2, below.

Scott Vanstone, the chief proponent of elliptic curves in the group,
was not present, but he emailed a message to Kaliski that he wishes to
participate in drafting an elliptic curve standard.

We took volunteers to coordinate drafting sections specified in the
outline.  They are:

        Oliver, RSA
        Kennedy, Diffie-Hellman
        Schlafly, ElGamal
        Vanstone, elliptic curves
        Arnold, hardware
        Kaliski, random numbers (with help from Robertson)
        Berson, services

The coordinators were encouraged to use the p1363 email list in order
to get documents reviewed prior to the August meeting.

There was some discussion about how we might adopt a consistent style and
notation, but nothing firm was decided.

Motion 6 to adjourn was passed unanimously at 5:06 pm.


Appendix 1

Terry Arnold, Vice-Chair
Tom Berson
Richard Feingold
Roger Golliver
Burt Kaliski, Chair
Paul A. Karger
John Kennedy
Steve Kent
Warren Monroe
Mark Oliver
Bart Preneel
Karen Randall
Richard L. Robertson
Roger Schlafly, Secretary
Walter Tuvell


Appendix 2

P1363 Outline
Version Approved at 18 May 1994 Meeting

1.   Introduction
1.1  Scope and Purpose
1.2  Standards Comparability
1.3  References
1.4  Acronyms, Definitions, and Notation
1.4.1     Acronyms
1.4.2     Definitions
1.4.3     Notation
1.5  Patent Data
1.5.1     Applicable Patents
1.5.2     Patent License Information
1.6  Cryptographic Service Definitions
2.   Rivest-Shamir-Adleman Algorithm
2.1  Basic Algorithm
2.2  Services Provided
2.3  Encryption
2.4  Decryption
2.5  Signature
2.6  Signature Verification
2.7  Key Length Considerations
2.8  Key Generation Considerations
2.9  Key Syntax
2.10 Key Management
2.11 Applications (not part of standard)
3.   Diffie-Hellman Algorithm
3.1  Basic Algorithm
3.2  Services Provided
3.3  Key Agreement Protocol
3.4  Key Length Considerations
3.5  Key Generation Considerations
3.6  Key Syntax
3.7  Key Management
3.8  Applications (not part of the standard)
4.   Related Algorithms (not part of the standard)
5.   El Gamal
5.1  Basic Algorithm
5.2  Services Provided
5.3  Encryption
5.4  Decryption
5.5  Signature
5.6  Signature Verification
5.7  Key Length Considerations
5.8  Key Generation Considerations
5.9  Key Syntax
5.10 Key Management
5.11 Applications (not part of standard)
6.   Elliptic Curve Systems
6.1  Basic Algorithm
6.2  Services Provided
6.3  Encryption
6.4  Decryption
6.5  Signature
6.6  Signature Verification
6.7  Key Length Considerations
6.8  Key Generation Considerations
6.9  Key Syntax
6.10 Key Management
6.11 Applications (not part of standard)
7.   Hardware Support
7.1  Special Purpose Arithmetic Units
7.2  Protective Packaging
8.   Random Number Generation

Appendices (not part of the Standard)
A    Prime Testing
B    Modular Arithmetic
C    Mathematical Background
D    Compatible Hashing Algorithms
E    Validation Suite (Test Vectors)
F    Known State of Attacks
G    Rationale